search
Carter Cole LinkedInCarters Twitter PageCarter Cole on Facebook Carter Coles RSS

Monday, December 12, 2011

The XSS hole I found in Google Analytics

So it looks like Google has patched this hole so ill run though what I did where it was and how they could have prevented it. It all comes down to one rule. Sanitize all user inputs no matter what. This persistent XSS hole I found was in the protocol field... you can see how I was able to inject an unauthorized protocol for the sites profile
The exposure of this attach was very minimal... they didnt validate the protocol against the list of options provided. Even though this has been fixed I still have a profile that has chromes special protocol on the analytics of one of my extensions

By using the chrome developer inspector you can modify the option list and add any protocol you want, well at least when it worked
Now that they have fixed it this is the message that the ui shows when you try and send the unsupported prototcol

Github badges the easy way

I have a big problem with scope creep... its one of the things ive been trying to work on as a developer but its just funny to me that I would have scope creep on a blog post. This entire post came out as scope creep of my previos post because I wanted an easy way to add one of the Github ribbons that say "fork this repo". My problem came when i tried to use the code from this page on github blog but it didnt work unless it was injected into the body... so i decided to write a simple script to inject the badge with javascript so all you have to do is include a little script tag with your username, the repo and what color and it would automatically drop it on the page

These are the options you can pass in the querystring to change how it will be rendered &usr= This is your github username
&repo= This is the repo to link to
&side= What side ['left' or 'right']
&color= The color of the ribbon ['red','orange','dblue','lgrey','green','white']

If you want to implement something thats not cross browser then you should check this out. I really like what this guy did with his css3 version that has a special message when you mouseover

And just so you can see what gets onto the pages... you can choose left or right the colors are the same

Saturday, December 10, 2011

Spelling in Node just got easier with gSpell

I've been doing alot of programming in node.js and I like to play with undocumented APIs so it seems natural when I needed to do some spell checking I decided to use the undocumented XML API that Google uses to do spell-checking in the firefox toolbar. I published the package into npm (the package manager for node.js) so to install all you have to do is

npm install gspell

and its easy to check any text and it seems to be able to process pretty long strings the script below shows how to check a string of text it returns the result as the second argument to the callback function. Heres a JSON dump of the object it returns. in the array c there is an object for each spelling mistake. Ive actually augmented the results the api returns to add the word it found that it thinks was mispelled I used xml2js to parse the XML the REST API returns and request to make the http calls. If you know of any changes that should be made just fork the repo and make a pull request

Wednesday, December 7, 2011

Godaddy Extortion for a Wordpress Install

I want this post to be a quick one but I hope it points out the type of crap companies do to try and grab money. Most cPanel (its the most common hosting control panel) installations have some kind of autoinstaller for open source packages, and wordpress itself is a super easy install but some hosting companies try and get you to pay for more than you need. Most hosting bandwidth for small sites is never used... they buy too big a package and the truth is its best to start small and upgrade when you need to.

Godaddy seems to be getting into this practice of overselling services... I understand the upsell when im checking out but the truth is for most domains I dont need to buy the common spelling mistakes for my domain or every single ccTld but hey you try and sell and we decline that fine. When I saw this I was just kinda sick, I can do a Wordpress install in less than 10 min but most users cant so what does Godaddy do? They make it so the novice users has to pay more to install something that super easy anyways and has many tools that allow it to be auto-installed. There is no reason Godaddy to charge extra for installing the application, it costs them absolutely nothing to host those tiny Wordpress blogs and they are just doing a money grab and adding no value... 

SO if you need a Wordpress blog fast and cheap just go here and send me 5 bucks... ill get you setup for a one time fee and you wont have to keep paying those hosting companies for a bunch of bandwidth you dont need just so you can install Wordpress easily

Get Wordpress setup for 5$

Monday, December 5, 2011

Google gets graphing (and copies Bing / Wolfram Alpha)

One of the things Bing first did while they were trying to catch up with Google was partner with Wolfram Alpha the computational knowledge engine and it gave them the ability to graph math functions and such... it was actually pretty cool. I was like hey now i have a reason to go do a Bing query... so i had a little giggle today when i read the post on their blog "Showing some love to math lovers" where they are now doing graphs just like bing has (with the Google rainbow logo colors of course )
its actually pretty cool im looking for more cool equations so comment if you know any good ones... and with that i leave you with the idea that the big g can now graph love

How to "Hack the vote"

I often like to tinker with computer security, it provides alot of cool problems to solve and when im able to figure something out im excited because beyond script kiddie SQL injection (on my own databases) and some XSS im a pretty tame "hacker" (i did find a hole in Wells Fargo) so I happen upon a online voting contest running locally in Houston and I assumed they built their own voting system and i wanted to know what precautions they took against cheating. Its a hard problem to solve, i mean "click fraud" by Google made Bing look foolish and then there are things like astorturfing with mechanical turk so its a hard problem to solve and might not be the best case for "roll your own"

So anyways these CultureMap guys wrote a post about how they caught a cheater... The funny thing is I had already asked my boss if we wanted to cheat at this... and i was going to cheat the right way. (so it all looks natural and you dont get caught) As I dug into reverse engineering their system it turns out they used a simple GET request for voting which brings up some interesting issues. First if its a simple GET request is all you need then you can make a webpage that makes people autovote by dropping the vote url into the src of an image element (then when it tries to load the image it autovotes) you also run the risk of GoogleBot crawling and voting... this was a big problem in the early days where the "delete" link in some admin dashboard somehow was publicly crawled and everything got deleted as google crawled each delete link. Same thing happened to their system... you can see in this google query all the "Thanks for voting" messages google saw and indexed. That means that google got its say in who won the contest :) and another issue with this voting thank you page is that anything you put into the url is written directly to the page.We call that an XSS or Cross Site Scripting attack... that will let me craft urls to do all kinds of fun stuff like make you link to me or steal the login cookies to your admin section. Heres just one example of what you can do injecting stuff into a page

One way you can try and cut down on cheating is to block votes from same ip but then everyone in a office only get one vote (because they all use the same ip) This is what another contest I decided to play a little dirty in did. So how did i get around the ip based block? Proxies Proxies Proxies!  after geocoding Im able to choose which proxies to use and send request in a random way so it all looks like normal traffic. You can see my blog in the site entries list i was down by hundreds and caught up in just a few hours... probably raised some flags for the people running the contest :)

So what are the takeaways?

If your running the contest

  1. Use a form POST to make the vote it will be harder to trigger and google wont be voting in your contest
  2. Geocode requests to make sure they are from the right region, this will help you detect somebody using proxies all in china
  3. Have some type of ip based reporting so you can try and catch big blatant offenders

If your "hacking" (or cheating) at a contest

  1. Sniff the http traffic so you can know how to spoof the request identically to the original
  2. Geocode the proxies you use and make sure they are coming from a county thats allowed to participate
  3. If they use a GET request to vote laugh about it and post the auto-vote url everywhere (posting to twitter will get about 20 random crawler to hit the link an vote as soon as the tweet is made)

Sunday, December 4, 2011

Heres yet another sneak peek of the new Facebook Timeline

Facebooks about to have another big facelift and not one like giving you an email address im talking a whole profile redesign, i cant wait until i see the "Facebook turn back the Timeline" group. Everything is becoming objects and actions and so special events are brought out with special attention (Like life events, job changes or marriage) but you can also make up actions. So to get the Facebook Timeline Profile before anyone else you need to trick them into thinking your a developer who wants to build something for the new system. So first go and signup to be a Facebook developer, if you do anything with Facebook pages you probably already have done this. From the Developer Dashboard you add a new application and name it some gibberish to to the open graph section it looks like this

 filling out the form with whatever and giving it an action. This is the new functionality timeline provides and what will get you invited early.
Go through the steps until the application is created 

 When you go back to your homepage you will see a little alert like below, if you dont see it right away dont worry it will show up eventually. Accept the dialog and it will take you through a tour of the new profile. I think they are doing this to try and sell the new look to the users as they have just made the sweeping change without notice without and explanation
Ok now lets go through the tour although it really is just a big waste of time. Its all pretty self explanatory but w/e its cool to get it early
So first they tell you about this new cover thing thats like a big picture to explain yourself in a giant banner type thing but theres still a profile picture is just a separate cutout over your cover
and then we have the dont worry all your stuff is still here its just in a different place thats even better step to explain that its all still ok
Then you got the all activity button that shows everything from the beginning of your birth all the way to your death unabridged including all that has been redacted from public view
And then they explain how you should love them forever for giving you access to your whole life all over again. I know im getting just a touch sarcastic but really whats the purpose of this tour?
And their tools for searching timeline for what you want to redact seems pretty sucky... there may be potential for a application right there. So after all that they dump you here and let you decide when you want to push your timeline profile public

Friday, December 2, 2011

Software engineers by the numbers [infographic]

I dont want to make it a regular thing just to republish other peoples infographics but this one was really cool to me. I may start to republish some of these with some more commentary I really like to do stuff for conversion rate optimization... Im finally getting some clients who can really benefit from it so we are getting to do alot more. (No im not jumping topics talking about CRO this infographic is from the CRE guys) Great Software Engineers